The Facebook Login Phishing Campaign Can Even Trick Savvy Users

It hasn’t been a while sine we last reported on phishing campaigns targeting Facebook accounts. Now, another Facebook login phishing campaign has surfaced online. What makes this one distinct is that even the savviest users may fail to detect it.

Facebook Login Phishing Campaign

Myki has recently discovered a novel Facebook login phishing campaign that is way more difficult to detect. As revealed in a blog post by Myki’s CEO and Co-Founder Antoine Vincent Jebara, the phishing campaign can even trick the smartest users.

According to the details disclosed, they noticed the phishing campaign upon receiving a false bug report regarding Myki’s auto-fill function. The campaign makes use of HTML block with a realistic format to prompt users to log in with their Facebook accounts to access a site.

“When a user visits the malicious website, they are prompted to log in with a social account (Facebook in this case). Upon selecting a login method, the fake login prompt is presented. The user can interact with it, drag it and dismiss it the same way they would a legitimate prompt.”

Once a user enters login credentials to the malicious window, the credentials are sent to the attacker.

The following video shared by Myki demonstrates how the attack works.

Carefully Use ‘Login With Facebook’

For now, there seem no specific methods to identify this phishing campaign since everything looks legit.

“The status bar, navigation bar, shadows and content are perfectly reproduced to look exactly like a legitimate login prompt.”

Moreover, even looking for HTTPS status in the URL won’t work here since the attackers exploit HTML that is easy to manipulate.

However, Myki does share a single method to possibly identify the campaign.

“The best way to protect yourself and avoid filling a similar form is to try dragging the ‘popup’ outside the browser window, which today is not a guideline that users are aware of.”

In a nutshell, Facebook users are presently at high risk of phishing attacks with this campaign. So, make sure to stay very careful while signing-in to blogs and websites using your Facebook accounts.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients